Technical notes gathered while studying for the CCIE certification.

By daxm

DHCP snooping seems to me to be a strange security enhancement. Though I do agree that securing against a rogue DHCP server is important the way Cisco implements it is odd.

In order for DHCP snooping to work at least 3 configurations are needed:

1) Enable DHCP snooping on the switch — (config)#ip dhcp snooping

2) All ports are “untrusted” by default. Specify which port are “trusted”. A trusted interfaces consist of interfaces along the path to the DHCP server. So, trunk ports and the actual port connecting to the DHCP server need to be configured as trusted ports. — (config-if)#ip dhcp snooping trust

4) (Optional?) After configuring the above commands in my local (home) network I noticed that my DHCP requests were not being answered. Thanks to a buddy of mine (Thanks Walt!) he showed me that the DHCP snooping process was adding Option 82 to my DHCP requests by default. Apparently my DHCP server didn’t like that option because as soon as I disabled Option 82 from being sent my DHCP requests were being answered. — (config)#no ip dhcp snooping information option

The following commands are associated with verifying that DHCP snooping is configured correctly:

show ip dhcp snooping

daxm-home-switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: 0022.56f9.6400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces: